Presume I have a prefix delegated from my ISP or from Hurricane Electric, and I want to have a network interface expose one IPv6 subnet outside of the normal firewall.
Say I set up an IPv6-only network for guests and I wish to subject them to full visibility to the IPv6 internet.
Is it reasonable to create the interface, set it up as only an IPv6 (with delegated subnet from upstream), and put it into the WAN firewall zone?
Is it possible to have the interface split with IPv4 in one zone and IPv6 in another zone? Say, by using an alias interface, or just having the two interfaces on the same device, but each in a different firewall zone?
No, I don't really want to do this, it's a security risk of someone infiltrating via un-firewalled IPv6 and then getting out via behind-the-firewall IPv4...but I'm just curious if this would work or if the firewalling can't handle an interface with split IPv4/IPv6?
Did you setup Hurricane or verify your ISP has IPv6?
I don't understand why you'd want local clients in your WAN; but yes you can create an IPv6 only addressed network. You could use LAN, or make another zone - but I'm confused on why you want them in the insecure WAN.
Why would your IPv6 be unfiltered...did you turn off/disable the firewall?
My goal here is to have an IPv6-only subnet, (/64), delegated from my upstream. I have one system with an HE tunnel (/48) and another with an ISP-delegated /56. But either way, the config with firewall zones and rules would be the same: I want a subnet of the public routable IPv6 delegation, with no firewall rules between it and the public IPv6 internet.
Why? Because I want to experiment with IPv6 configs, and public networking. Perhaps I'll set up a honeypot on the network...or otherwise just want to see how well things work with public IPv6 addresses not protected by firewalls or behind NAT.
As for a configuration to achieve this, I think I have to set up a separate firewall zone. If I were to put this subnet into the WAN zone, it would be subject to the normal inbound blocking rules that guard the WAN interface. I think I need to set up a new zone and configure forwarding/access as needed so the hosts in the zone can get what they need from the WAN interface (probably at least DHCPv6, to assign DNS via public DNS servers).
I didn't explain this well. I was musing about whether it's possible to have a single physical network with the IPv4 and IPv6 traffic assigned to separate zones. That's a bad idea, since any host in this zone is a possible vector for infiltration and jumping zones.
In the posited IPv6-outside-the-firewall network, this is a really bad idea if the IPv4 zone has any access to anything else behind the firewall.
I can't see why you need different zones for IPv4 and IPv6. Can't you have one zone that's not allowed to access any of your other zones except the wan zone? Set the default polices of Input and Forward to drop or reject, and add traffic rules for the services you need on the router such as DHCP, DNS etc.
I don't want different zones for IPv4 and IPv6. I'm just theorizing about what happens if you do that. In this case, I can't put any IPv4 outside the firewall because I have no routable IPv4 subnets.
Sorry I should have put the question about different zones into a totally different question/post.
I can't put any IPv4 outside the firewall because I have no routable IPv4 subnets.
I don't know what it means to put IPv4 or IPv6 "outside the firewall", while OpenWrt still handles routing. I think there is always a firewall in Linux if you load the modules that make up the firewall. Maybe you can stop OpenWrt from loadning some firewall modules, but if you want to configure any firewall (for example between wan and lan) on OpenWrt then you need those modules.
Ah, by "outside the firewall" I mean in a firewall zone that has nothing blocked (wide-open to communicate with the WAN zone and the routed internet). An IPv6 subnet can live there and be reachable from the outside world (with appropriate configuration to allow all routing to/from the internet), but there's no IPv4 subnet that can work there, since there's only one routable IPv4 address from the ISP, and that's on the WAN interface.
OK, so I got the experiment working. I was tripped up briefly by a bug in the 22.03.0-rc1 firewall, that doesn't properly instantiate ipv6-only firewall zones.
Summary:
create an interface for ipv6 only, with delegated addresses from upstream IPv6 WAN
create a firewall zone for the open-to-the-world IPv6 subnet
configured to allow forwarding to/from wan
rules to allow ICMPv6 and DHCPv6 into the router
Only connect hardened devices to the network--there's no protection from public IPv6 network traffic!
The network definition: a bridge for the network, (VLAN 7), and the interface with static IPv4 (not assigned), and subnet 7 delegated from upstream tunnelwan6:
root@LEDE:~# uci show network.br_only6
network.br_only6=device
network.br_only6.type='bridge'
network.br_only6.name='br-only6'
network.br_only6.bridge_empty='1'
network.br_only6.ports='eth1.7'
root@LEDE:~# uci show network.only6
network.only6=interface
network.only6.device='br-only6'
network.only6.proto='static'
network.only6.delegate='0'
network.only6.ip6assign='64'
network.only6.ip6class='tunnelwan6'
network.only6.ip6hint='7'
Firewall zone for the open ipv6 network:
root@LEDE:~# uci show firewall.open
firewall.open=zone
firewall.open.name='open'
firewall.open.output='ACCEPT'
firewall.open.forward='ACCEPT'
firewall.open.network='only6'
firewall.open.input='REJECT'
Forwarding zone rules:
root@LEDE:~# uci show firewall.open_to_wan
firewall.open_to_wan=forwarding
firewall.open_to_wan.src='open'
firewall.open_to_wan.dest='wan'
root@LEDE:~# uci show firewall.wan_to_open
firewall.wan_to_open=forwarding
firewall.wan_to_open.src='wan'
firewall.wan_to_open.dest='open'
Out of curiousity, what exactly is the point of this experiment? What are you trying to find out by bypassing the firewall? It seems like something that has very little benefit for ipv6 and a lot of negatives..
Mostly, because I can. (Proof of concept that it's possible to set up an unprotected isolated publicly-routed IPv6 network with OpenWrt.)
But also as a test bed where I can set up devices subject to external probing/mischief, and potentially setup an IPv6 honeypot to see who comes knocking.
Still not sure I see the point.. Creating an OpenWRT firewall zone that allows unrestricted forwarding to/from the WAN is fairly straightforward, but it doesn't really achieve anything useful for real world applications.
I'm also not sure why you'd want to unprotect devices that may be subject to external 'mischief'. But hey, whatever makes you happy...